Jan 06, 2010

Chapter 7.2 The Fight Over Intrusion Detection

This
is
another
excerpt from my book on technology, terrorism, and
DHS, tentatively titled "Skating on Stilts." (If you want to
read the excerpts in a more coherent fashion, try the categories on the
right labeled "Excerpts from the book." I'm afraid I can't fix the bug
in TypePad that prevents me from putting them in the category in
reverse-chronological order, but I have started putting chapters up in
pdf form from time to time.) Comments and factual quibbles
are welcome, either in the comments section or by email:
fact.check.baker@gmail.com. If you're dying to order the book, send
mail to the same address.

--Stewart Baker

It didn't matter how obviously necessary a security measure
was.Resistance to any change was
strong. A case in point was the effort to install intrusion monitoring on the
federal government's own networks.

To succeed, most cyberattacks must do two things. The hackers
first have to get malicious code into the network they’ve targeted. Then they
have to get stolen information out. If we can detect either step, we can thwart
the attack. So one way to defend our networks is to do a thorough job of
monitoring traffic as it goes in and out.

We’ve known this for a decade. The Clinton administration’s
cybersecurity strategy, drafted in 1999 and released in early 2000, called for
a network of intrusion detection monitors that could inspect packets going into
and out of all federal government networks. President Clinton requested funds for
intrusion monitoring in his outgoing budget. But civil libertarians
quickly launched a campaign against it.

It was an odd battle for them to choose. The point of the
monitoring network was to inspect government communications. Even the most
extreme privacy zealot shouldn’t be shocked to discover that the government was
reading its own mail, much less that
it was inspecting its mail for malware.By then, government agencies were already screening emails for spam; the
intrusion detection network simply extended that concept to other unwanted
packets. What’s more, since roughly the 1980s, these computers had been
displaying warnings users that government systems are subject to monitoring.

But privacy groups were spoiling for a fight. They portrayed the
proposal as the second coming of Big Brother.

"I think this is a very frightening proposal," an ACLU
representative told ZDNet News.

"We feel the government should spend its resources closing
the security holes that exist, rather than to watch people trying to break
in," said a counsel for the Center for Democracy and Technology.

"I think the threats (of network vulnerability) are
completely overblown," said the general counsel for the Electronic Privacy
Information Center, adding that claims of a security threat is leading to
"a Cold War mentality" that threatens ordinary citizens' privacy.

In the end, civil liberties resistance was so strong that only the
Defense Department was allowed to build an intrusion detection network. For
years thereafter, the civilian agencies experienced intrusions that could have
been prevented by the intrusion prevention system proposed by President
Clinton. But once burned was twice shy. The privacy groups had thoroughly
tainted the idea of intrusion prevention on the Hill, and there was real
reluctance to revisit the issue. When the Bush Administration wrote its
cybersecurity strategy, it did not even try to revive the idea.

Finally, though, five years later, the Bush Administration decided
to force the issue. Mike McConnell, the Director of National Intelligence, had
been my boss at NSA, and he had spent the years after leaving NSA building a
cybersecurity practice at a large consulting firm. A quiet, self-deprecating
Southerner with a talent for briefing higher-ups, McConnell was determined to
move cybersecurity to the front burner.

He didn’t have to work too hard to persuade DHS to take on the
challenge. We were alarmed at the ease with which attacks were being launched
against civilian agencies. With the backing of President Bush and Mike
McConnell, we again proposed an intrusion detection network for civilian
agencies. And civil libertarians once again renewed the fight to stop us – as
though nothing had changed in ten years. Without the slightest evidence of
irony, they again raised privacy objections to the government monitoring its
own communications.

We got further than President Clinton did, but not much. Congress
appropriated funds for the project, but it had not been fully implemented when
Barack Obama was elected President. Spooked by the privacy outcry, the Obama
Administration postponed full implementation of intrusion monitoring so that it
could again examine all of the privacy issues. Pilot projects are underway, but
final decisions about how, when, and whether to implement effective intrusion
monitoring are still awaiting consensus among the lawyers.

Meanwhile, attacks similar to those that compromised the Dalai Lama’s
network are continuing. The privacy debate had caused ten years of delay, and
it may yet kill an effective intrusion prevention system.